b'  DEPARTMENT OF HOMELAND SECURITY\n\n\n    Of\xef\xac\x81ce of Inspector General\n     Audit of the Automated Commercial\n      Environment Secure Data Portal:\n      Management Controls Needed\n                Improvement\n\t\n\n\n\n\n          Of\xef\xac\x81ce of Audits\nOIG-04-35            September 2004\n\x0c\x0c                                                                      Of\xef\xac\x81ce of Inspector General\n\n                                                                      U.S. Department of Homeland Security\n                                                                      Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special reports\nprepared by the OIG as part of its DHS oversight responsibility to identify and prevent fraud,\nwaste, abuse, and mismanagement.\n\nThis report assesses the strengths and weaknesses of the program or operation under review. It\nis based on interviews with employees and of\xef\xac\x81cials of relevant agencies and institutions, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein, if any, have been developed to the best knowledge available to the\nOIG, and have been discussed in draft with those responsible for implementation. It is my hope\nthat this report will result in more effective, ef\xef\xac\x81cient, and economical operations. I express my\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Clark Kent Ervin\n                                              Inspector General\n\x0c\x0c                                                                                                                         Contents\n\t\n\n  Abbreviations...................................................................................................................................2\n\t\n\n  Introduction......................................................................................................................................3\n\t\n\n  Results in Brief ................................................................................................................................4\n\t\n\n  Background ......................................................................................................................................4\n\t\n\n  Process For Gathering User Feedback.............................................................................................5\n\t\n\n  Process to Monitor User Feedback ..................................................................................................6\n\t\n\n  Other Matters ...................................................................................................................................7\n\t\n\nAppendices\n  Appendix 1:                 Purpose, Scope, and Methodology.....................................................................8\n\n  Appendix 2:                 Recommendation ...............................................................................................9\n\n  Appendix 3:                 Overview of ACE Releases..............................................................................10\n\n  Appendix 4:                 Major Contributors To This Report .................................................................11\n\n  Appendix 5:                 Report Distribution ..........................................................................................12\n\n\n\n\n                                        Automated Commercial Environment Secure Data Portal                                                               1\n\x0cContents\n\t\nAbbreviations\n\n    ACE         Automated Commercial Environment\n    AD          Anti-Dumping\n    ATS         Automated Targeting System\n    CBP         Customs and Border Protection\n    CCIE        Cargo, Conveyance, Individual and Equipment\n    CFO         Chief Financial Of\xef\xac\x81cer\n    CROSS       Customs Rulings Online Search System\n    CVD         Countervailing Duty\n    eCP         e-Customs Partnership\n    EFT         Electronic Funds Transfer\n    FCC         Federal Communications Commission\n    FDA         Food and Drug Administration\n    FMCSA       Federal Motor Carrier Safety Administration\n    FOIA        Freedom of Information Act\n    FTZ         Foreign Trade Zone\n    HTS         Harmonized Tariff Schedule\n    IASS        Importer Activity Summary Statement\n    ITC         International Trade Commission\n    MARAD       Maritime Administration\n    NTC         National Targeting Center\n    OIG         Of\xef\xac\x81ce of Inspector General\n    PTR         Product Trouble Report\n    TBD         To Be Determined\n\n\n\n\n2                     Automated Commercial Environment Secure Data Portal\n\x0cOIG\nDepartment of Homeland Security\n                                                                                             Audit\n                                                                                             Report\nOf\xef\xac\x81ce of Inspector General\n\n\nIntroduction\n                              The Automated Commercial Environment (ACE) Secure Data Portal is a system\n                              that will allow the private sector trade community to submit data that meets\n                              all federal requirements for cargo entering and leaving the United States. The\n                              development of ACE is a massive and multifaceted effort directly related to the\n                              success of the Customs and Border Protection (CBP) mission. According to CBP,\n                              ACE will enable CBP to:\n\n                                   \xe2\x80\xa2 \t process and monitor import and export shipments and related trade activity\n                                       more ef\xef\xac\x81ciently through trade accounts versus individual transactions;\n                                   \xe2\x80\xa2 \t release cargo more ef\xef\xac\x81ciently by integrating international law\n                                       enforcement intelligence, commercial intelligence; and data mining results\n                                       to focus efforts on high-risk importers and accounts; and\n                                   \xe2\x80\xa2 \t facilitate cargo processing by permitting the transfer of automated entry,\n                                       entry summary, and manifest information in one standard data set for all\n                                       modes of transportation.\n\n                              The vision of ACE is to create a single portal1 for all Federal requirements for\n                              international cargo. This will provide the trade community a single web-based\n                              interface to make periodic payments, post transactions, and view statement\n                              records by account. This will bene\xef\xac\x81t the federal government by creating a\n                              common knowledge-based risk management system for joint enforcement\n                              targeting and intelligence development.\n\n                              The objective of the audit was to determine CBP was managing and developing\n                              the ACE Secure Data Portal to meet user expectations in the areas of user\n                              feedback and the change request process. The audit work was performed from\n                              April to November 2003. This report and the two prior reports issued, taken\n                              together, represent the results of the audit of the ACE Secure Data Portal.\n\n                              Our \xef\xac\x81rst report addressed a critical contract deliverable and technical reporting\n                              issues. CBP concurred with our two recommendations relating to acceptance of\n                              the foundational activities in the deliverable and improving technical reporting.\n                              (Audit Report Number OIG-01-04, titled Audit of the Automated Commercial\n\n\n1\n    A \xe2\x80\x9cportal\xe2\x80\x9d is software that provides a controlled gateway to an internet site.\n\n\n\n                                                                                                                  3\n\x0c                   Environment Secure Data Web Portal: Quality of Deliverables Can Be Improved, \n\n                   dated November 25, 2003)\n\n                   Our second report addressed security concerns and was issued for of\xef\xac\x81cial\n                   use only. (Audit Report Number OIG-04-22, titled Audit of the Automated\n                   Commercial Environment Secure Data Web Portal: Information System Security\n                   Requirements Need To Be Implemented, dated May 24, 2004)\n\nResults in Brief\n                   The process used by e-Customs Partnership (eCP) to gather user feedback was\n                   adequate. During a 90-day pilot, eCP established a logical process to gather\n                   user feedback. This process resulted in the initiation of Product Trouble Reports\n                   (Trouble Reports) and change requests.\n\n                   However, the CBP Modernization Of\xef\xac\x81ce was not tracking all the user feedback\n                   collected by eCP. A monitoring process would allow the CBP Modernization\n                   Of\xef\xac\x81ce to review, evaluate, monitor, and track user feedback to ensure that issues\n                   important to CBP are properly addressed.\n\n                   In addition, change request packages did not always have the required\n                   documentation identifying how changes would impact the program. As a result,\n                   the Change Control Board and Project Directors approved work requirement\n                   changes without knowing the full impact of the changes to the program.\n\nBackground\n                   CBP enforces the trade laws of the United States while also facilitating legitimate\n                   trade and travel. In performing its mission, CBP counters the dual threats of\n                   narcotics smuggling and terrorist in\xef\xac\x81ltration. The ability of CBP to process\n                   the growing volume of imports, while improving compliance with trade laws,\n                   depends heavily on successfully improving the trade compliance process\n                   and modernizing supporting automated systems. In August 2001, eCP, the\n                   prime contractor for the development of ACE, started work. Currently, eCP is\n                   scheduling the full deployment of ACE by December 2007 at an estimated cost of\n                   $2.24 billion.\n\n                   The ACE development coalition, eCP, is delivering ACE in a series of seven\n                   releases. Each release provides added functionalities and capabilities. (See\n\n\n\n\n4                         Automated Commercial Environment Secure Data Portal\n\x0c                             Appendix 3 for an Overview of Ace Releases.) As of May 2004, eCP had\n                             deployed Release 22, which established the initial infrastructure upon which all\n                             subsequent ACE functionality would rest and provided access to CBP account\n                             managers and 41 companies who import merchandise into the United States.\n                             CBP accepted delivery of Release 2 in October 2003 and started testing the\n                             system with CBP account managers and 41 companies to gather feedback of\n                             system functionality. Release 3 will increase the number of trade accounts and\n                             provide monthly statements and payments. Release 3 will also deliver the ACE\n                             infrastructure through which internal and external users will access revenue,\n                             sensitive law enforcement, and proprietary corporate information. Release\n                             3, which allows importers and designated brokers to make periodic monthly\n                             payments for monthly statements of duties and fees, is scheduled for deployment\n                             in the summer of 2004.\n\nProcess For Gathering User Feedback\n                             eCP established an adequate process to gather user feedback needed to help\n                             initiate Trouble Reports and change requests during the Release 2 pilot\n                             performance period. The feedback gathered by this process also provided\n                             additional information to improve future releases of the ACE Secure Data Portal.\n\n                             The ACE pilot performance period is a 90-day trial period where the system\n                             operates in a production environment. The purpose of a pilot performance period\n                             is to ensure that the release meets the business needs of the users. At the end of a\n                             pilot, CBP decides whether to accept or reject the release.\n\n                             User Acceptance Testing is a formal method of measuring user satisfaction that\n                             was conducted during part of the pilot performance period. The purpose of\n                             User Acceptance Testing was to test the ACE Secure Data Portal in a real world\n                             business environment with real users interfacing with their actual data. Based on\n                             its experience with User Acceptance Testing feedback from evaluating Release 1,\n                             eCP engaged a specialist in the \xef\xac\x81eld of system usability to develop, administer,\n                             and evaluate metrics for User Acceptance Testing in Release 2. CBP and eCP\n                             gathered user feedback through three different methods:\n\n                                 \xe2\x80\xa2 \t The ACE Secure Data Portal has a function that enables users to transmit\n                                     comments and problems to eCP online. Users provided feedback during\n                                     the pilot performance period.\n\n2\n    CBP chose not to implement Release 1 due to problems with infrastructure, performance, and usability.\n\n\n\n                                     Automated Commercial Environment Secure Data Portal                        5\n\x0c                 \xe2\x80\xa2 \t eCP operated the ACE help desk throughout the pilot performance period.\n                     The ACE help desk generated trouble ticket for problems, issues, and\n                     suggestions or elevated issues to appropriate parties in eCP or CBP as calls\n                     were received.\n                 \xe2\x80\xa2 \t CBP and eCP had direct contact with users during User Acceptance\n                     Testing via telephone calls, e-mails, surveys, and on-site visits. Users\n                     provided feedback on speci\xef\xac\x81c problems or concerns.\n\n              Comments made by the users, and considered material to eCP, resulted in a\n              Trouble Reports, change requests, or were elevated to the appropriate party in eCP\n              or CBP. eCP created Trouble Reports when it was determined that the comment\n              represented the incorrect or incomplete implementation of a system requirement.\n              Change requests were initiated for comments that represented a requirement\n              for added system functionality. The Trouble Reports and the change requests\n              were also used to track and address problems identi\xef\xac\x81ed by users during the pilot\n              performance period.\n\n              eCP provided CBP with a report summarizing the User Acceptance Testing\n              results, Trouble Report performance measurements, and help desk performance\n              measurements. The report also described the methods used to gather ACE user\n              feedback.\n\nProcess To Monitor User Feedback\n              The CBP Modernization Of\xef\xac\x81ce was not monitoring user feedback gathered\n              by eCP. The CBP Modernization Of\xef\xac\x81ce is responsible for monitoring eCP\xe2\x80\x99s\n              development of ACE. However, since this was the \xef\xac\x81rst pilot performance period\n              with external users, the CBP Modernization Of\xef\xac\x81ce did not have a formal tracking\n              system to monitor the disposition of the detailed user feedback. A monitoring\n              process is necessary to ensure that issues important to CBP are incorporated into\n              ACE.\n\n              We recommended a formal user feedback tracking system to the Workforce\n              Transformation Director for the CBP Modernization Of\xef\xac\x81ce during the audit. As\n              a result, on March 12, 2004, the Workforce Transformation Director included a\n              process to monitor user feedback as a deliverable in Task Order 16. He provided\n              the detailed requirements for tracking user feedback to the contractor in a Product\n              Description Document that presented the proposed concept and content of the\n              deliverable, titled \xe2\x80\x9cProcess for Gathering and Disseminating Feedback.\xe2\x80\x9d This\n\n\n\n\n6                    Automated Commercial Environment Secure Data Portal\n\x0c                deliverable will be used to summarize the \xef\xac\x81ndings, analysis, conclusions, and\n                recommendations of this activity.\n\n                Recommendation 1\n\n                We recommend that the CBP Modernization Of\xef\xac\x81ce Director develop and issue a\n                formal system for tracking user feedback.\n\n                OIG Comment\n\n                The actions taken by CBP during the audit satisfy the intent of our\n                recommendation.\n\nOther Matters\n                Change request packages that needed impact statements did not always address\n                all of the critical areas required. This occurred because the packages were not\n                adequately reviewed to ensure that all information necessary to make informed\n                decisions was included. The Con\xef\xac\x81guration Management Team and Change\n                Sponsors are responsible for including all of the required documentation in\n                the packages. Further, change request procedures did not require including\n                alternative solutions in the packages. As a result, this increased the risk of\n                approving changes that may have a negative impact on the cost, schedule, and\n                quality of the program.\n\n                During the audit, we discussed this issue with CBP Modernization Of\xef\xac\x81ce\n                management of\xef\xac\x81cials. In response to our discussion, the Director of Program\n                Control issued a memorandum on December 17, 2003, emphasizing the\n                importance of ensuring that impact analyses include, as a minimum, suf\xef\xac\x81cient\n                documentation on technical issues, staf\xef\xac\x81ng, cost, schedule, system interfaces,\n                security, and contract issues. This memo, issued to all change request initiators,\n                sponsors, reviewers, and con\xef\xac\x81guration management personnel, also requires that\n                any alternative solutions to the change be annotated on the change request.\n\n\n\n\n                       Automated Commercial Environment Secure Data Portal                           7\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n\nPurpose, Scope, and Methodology\n                    The objective of this audit was to determine whether the CBP was properly\n                    managing user feedback and the change control process to ensure that user\n                    expectations for the ACE Secure Data Portal were being met. To accomplish this\n                    objective, our audit work included:\n\n                       \xe2\x80\xa2 \t Interviews conducted with various CBP and eCP of\xef\xac\x81cials at CBP\n                           Headquarters, as well as CBP and eCP facilities in Virginia.\n\n                       \xe2\x80\xa2 \t Review of pertinent plans and documents related to the design,\n                           development, deployment, cost, and schedule of the ACE Secure Data\n                           Portal, including but not limited to:\n                           \xe2\x80\xa2 \t Program Plans\n                           \xe2\x80\xa2 \t Program Management Reviews\n                           \xe2\x80\xa2 \t Requirement Speci\xef\xac\x81cation Set\n                           \xe2\x80\xa2 \t Requirements Traceability Management System\n                           \xe2\x80\xa2 \t Security Risk Assessment\n                           \xe2\x80\xa2 \t Production and Operational Readiness Reviews\n                           \xe2\x80\xa2 \t Release 1 and 2 Pilot Test Reports\n                           \xe2\x80\xa2 \t Change request Process\n                           \xe2\x80\xa2 \t User Acceptance Test Reports\n                           \xe2\x80\xa2 \t Management Reserve Fund\n                           \xe2\x80\xa2 \t MITRE Weekly and Monthly Reports\n\n                       \xe2\x80\xa2 \t Review of change request documents to evaluate documentation support\n                           and impact analysis statements.\n\n                       \xe2\x80\xa2 \t Attendance at a September 2003 trade support meeting held in\n                           Reston, Virginia, and at various recurring meetings held by the CBP\n                           Modernization Of\xef\xac\x81ce, support contractors, and eCP relating to ACE\n                           development.\n\n                       \xe2\x80\xa2 \t Coordination of OIG audit work with the General Accountability Of\xef\xac\x81ce.\n\n                    We conducted the audit from April 2003 through November 2003 according to\n                    generally accepted government auditing standards and pursuant to the Inspector\n                    General Act of 1978, as amended.\n\n\n\n\n8                         Automated Commercial Environment Secure Data Portal\n\x0c                                                            Appendix B\n                                                            Recommendation\n\n\n\nRecommendation 1\n\nWe recommend that the CBP Modernization Of\xef\xac\x81ce Director develop and issue a\nformal system for tracking user feedback.\n\n\n\n\n      Automated Commercial Environment Secure Data Portal                    9\n\x0cAppendix C\nOverview of ACE Releases\n\n\n\n\n10                         Automated Commercial Environment Secure Data Portal\n\x0c                                                  Appendix D\n                                                  Major Contributors to This Report\n\n\n\nGeorge Tabb, Houston Field Of\xef\xac\x81ce Director\nGene Wendt, Audit Manager\nCarlos Berrios, Auditor in Charge\nDavid Porter, Auditor\nChristy Staples, Auditor\nLinda Howarton, Referencer\n\n\n\n\n      Automated Commercial Environment Secure Data Portal                         11\n\x0cAppendix E\nReport Distribution\n\n\n\n                      Department of Homeland Security\n\n                      Deputy Secretary\n                      Deputy Secretary Chief of Staff\n                      General Counsel\n                      Chief Information Of\xef\xac\x81cer\n                      DHS OIG Liaison\n\n                      Customs and Border Protection\n\n                      Commissioner\n                      Customs and Boarder Protection Modernization Of\xef\xac\x81ce Director\n                      Director, Evaluations and Oversight, Of\xef\xac\x81ce of Planning Director\n\n                      Of\xef\xac\x81ce of Management and Budget\n\n                      Homeland Bureau Chief\n                      DHS OIG Budget Examiner\n\n\n                      Congress\n\n                      Congressional Oversight and Appropriation Committees, as appropriate\n\n\n\n\n12                          Automated Commercial Environment Secure Data Portal\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG)\nat (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at\nwww.dhs.gov.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the OIG\nHotline at 1-800-323-8603; write to Department of Homeland, Washington, DC 20528,\nAttn: Of\xef\xac\x81ce of Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG seeks to\nprotect the identity of each writer and caller.\n\x0c'